Patches for CVE-2006-4146

 from https://bugzilla.redhat.com/show_bug.cgi?id=204841

4 files changed, 90 insertions, 3 deletions

diff --git a/devel/gdb6/Makefile b/devel/gdb6/Makefile
index 50c1a96d64d..d0075f9bc25 100644
--- a/devel/gdb6/Makefile
+++ b/devel/gdb6/Makefile
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.29 2012/10/31 11:16:59 asau Exp $
+# $NetBSD: Makefile,v 1.30 2012/11/20 23:13:03 tez Exp $
 #
 
 DISTNAME=		gdb-6.2.1
-PKGREVISION=		6
+PKGREVISION=		7
 CATEGORIES=		devel
 MASTER_SITES=		ftp://sources.redhat.com/pub/gdb/releases/
 EXTRACT_SUFX=		.tar.bz2
diff --git a/devel/gdb6/distinfo b/devel/gdb6/distinfo
index 08aaca830a8..e009220ab8a 100644
--- a/devel/gdb6/distinfo
+++ b/devel/gdb6/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.13 2009/09/09 12:50:58 wiz Exp $
+$NetBSD: distinfo,v 1.14 2012/11/20 23:13:04 tez Exp $
 
 SHA1 (gdb-6.2.1.tar.bz2) = 50cee3887744c4140aafcc0e4eb579d94464dfd7
 RMD160 (gdb-6.2.1.tar.bz2) = 6fe9f3bbef076c55cbcdf05143e7d5f98f61f889
@@ -46,3 +46,5 @@ SHA1 (patch-bn) = cfeee69148028782b9ab6580f0f619d5f3327325
 SHA1 (patch-bo) = 92221afaa93d9362057783c20100ce7ff1b5df9b
 SHA1 (patch-bp) = bff41b3fb0f5952cbcd37797ec4bb63f6f79da8d
 SHA1 (patch-br) = f1e1a0b16721cdc8b1379685a0598211e71cee49
+SHA1 (patch-gdb_dwarf2read.c) = 811455c31b004a35ba557244037cde55c0161777
+SHA1 (patch-gdb_dwarfread.c) = 56a2210a50e31d464eb4ca295b3021d010f738d2
diff --git a/devel/gdb6/patches/patch-gdb_dwarf2read.c b/devel/gdb6/patches/patch-gdb_dwarf2read.c
new file mode 100644
index 00000000000..6041854b68a
--- /dev/null
+++ b/devel/gdb6/patches/patch-gdb_dwarf2read.c
@@ -0,0 +1,42 @@
+$NetBSD: patch-gdb_dwarf2read.c,v 1.1 2012/11/20 23:13:04 tez Exp $
+
+Patch for CVE-2006-4146 from https://bugzilla.redhat.com/show_bug.cgi?id=204841
+
+--- gdb/dwarf2read.c.orig	2004-07-06 19:29:30.000000000 +0000
++++ gdb/dwarf2read.c
+@@ -8027,8 +8027,7 @@ dwarf2_fundamental_type (struct objfile
+    When the result is a register number, the global isreg flag is set,
+    otherwise it is cleared.
+ 
+-   Note that stack[0] is unused except as a default error return.
+-   Note that stack overflow is not yet handled.  */
++   Note that stack[0] is unused except as a default error return. */
+ 
+ static CORE_ADDR
+ decode_locdesc (struct dwarf_block *blk, struct dwarf2_cu *cu)
+@@ -8045,7 +8044,7 @@ decode_locdesc (struct dwarf_block *blk,
+ 
+   i = 0;
+   stacki = 0;
+-  stack[stacki] = 0;
++  stack[++stacki] = 0;
+   isreg = 0;
+ 
+   while (i < size)
+@@ -8227,6 +8226,16 @@ decode_locdesc (struct dwarf_block *blk,
+ 		     dwarf_stack_op_name (op));
+ 	  return (stack[stacki]);
+ 	}
++      /* Enforce maximum stack depth of size-1 to avoid ++stacki writing
++         outside of the allocated space. Also enforce minimum > 0.
++         -- wad@google.com 14 Aug 2006 */
++      if (stacki >= sizeof (stack) / sizeof (*stack) - 1)
++	internal_error (__FILE__, __LINE__,
++	                _("location description stack too deep: %d"),
++	                stacki);
++      if (stacki <= 0)
++	internal_error (__FILE__, __LINE__,
++	                _("location description stack too shallow"));
+     }
+   return (stack[stacki]);
+ }
diff --git a/devel/gdb6/patches/patch-gdb_dwarfread.c b/devel/gdb6/patches/patch-gdb_dwarfread.c
new file mode 100644
index 00000000000..7fa276b02bd
--- /dev/null
+++ b/devel/gdb6/patches/patch-gdb_dwarfread.c
@@ -0,0 +1,43 @@
+$NetBSD: patch-gdb_dwarfread.c,v 1.1 2012/11/20 23:13:04 tez Exp $
+
+Patch for CVE-2006-4146 from https://bugzilla.redhat.com/show_bug.cgi?id=204841
+
+--- gdb/dwarfread.c.orig	2004-07-17 14:16:14.000000000 +0000
++++ gdb/dwarfread.c
+@@ -2137,9 +2137,7 @@ decode_line_numbers (char *linetable)
+ 
+    NOTES
+ 
+-   Note that stack[0] is unused except as a default error return.
+-   Note that stack overflow is not yet handled.
+- */
++   Note that stack[0] is unused except as a default error return. */
+ 
+ static int
+ locval (struct dieinfo *dip)
+@@ -2159,7 +2157,7 @@ locval (struct dieinfo *dip)
+   loc += nbytes;
+   end = loc + locsize;
+   stacki = 0;
+-  stack[stacki] = 0;
++  stack[++stacki] = 0;
+   dip->isreg = 0;
+   dip->offreg = 0;
+   dip->optimized_out = 1;
+@@ -2223,6 +2221,16 @@ locval (struct dieinfo *dip)
+ 	  stacki--;
+ 	  break;
+ 	}
++      /* Enforce maximum stack depth of size-1 to avoid ++stacki writing
++         outside of the allocated space. Also enforce minimum > 0.
++         -- wad@google.com 14 Aug 2006 */
++      if (stacki >= sizeof (stack) / sizeof (*stack) - 1)
++	internal_error (__FILE__, __LINE__,
++	                _("location description stack too deep: %d"),
++	                stacki);
++      if (stacki <= 0)
++	internal_error (__FILE__, __LINE__,
++	                _("location description stack too shallow"));
+     }
+   return (stack[stacki]);
+ }